CVE-2024-52798
CVE-2024-52798 is a high-severity vulnerability with a CVSS 4.0 base score of 7.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1333.
Key facts
- Severity: High (CVSS 4.0 base score 7.7)
- EPSS exploit prediction: 1% (52nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-3506
- Weakness: CWE-1333
- Published:
- Last modified:
Description
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
Frequently asked questions
- What is CVE-2024-52798?
- path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
- How severe is CVE-2024-52798?
- CVE-2024-52798 has a CVSS 4.0 base score of 7.7, rated high severity.
- Is CVE-2024-52798 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (52nd percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2024-52798?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2024-52798 have an EU (EUVD) identifier?
- Yes. CVE-2024-52798 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-3506.
- When was CVE-2024-52798 published?
- CVE-2024-52798 was published on 2024-12-05 and last updated on 2026-06-17.
References
- https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4
- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w
- https://security.netapp.com/advisory/ntap-20250124-0002/
Other CWE-1333 vulnerabilities
- CVE-2026-35458 — Critical (CVSS 9.8): Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile…
- CVE-2023-29486 — Critical (CVSS 9.8): An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass…
- CVE-2026-25547 — Critical (CVSS 9.2): @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1,…
- CVE-2023-29487 — Critical (CVSS 9.1): An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS,…
- CVE-2026-47138 — High (CVSS 8.7): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to…
- CVE-2025-6998 — High (CVSS 8.7): ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated…